TOKEN_GROUPS structure (winnt.h)
The TOKEN_GROUPS structure contains information about the group security identifiers (SIDs) in an access token.
Syntax
typedef struct _TOKEN_GROUPS {
DWORD GroupCount;
#if ...
SID_AND_ATTRIBUTES *Groups[];
#else
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY];
#endif
} TOKEN_GROUPS, *PTOKEN_GROUPS;
Members
GroupCount
Specifies the number of groups in the access token.
Groups[*]
Specifies an array of SID_AND_ATTRIBUTES structures that contain a set of SIDs and corresponding attributes.
The Attributes members of the SID_AND_ATTRIBUTES structures can have the following values.
| Value | Meaning |
|---|---|
|
The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied access control entries (ACEs) that apply to the SID.
A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set. |
|
The SID is enabled by default. |
|
The SID is a mandatory integrity SID. |
|
The SID is enabled for mandatory integrity checks. |
|
The SID is a logon SID that identifies the logon session associated with an access token. |
|
The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID. |
|
The SID identifies a group account for which the user of the token is the owner of the group, or the SID can be assigned as the owner of the token or objects. |
|
The SID identifies a domain-local group. |
|
The SID is a deny-only SID in a
restricted token. When the system performs an access check, it checks for access-denied ACEs that apply to the SID; it ignores access-allowed ACEs for the SID.
If this attribute is set, SE_GROUP_ENABLED is not set, and the SID cannot be reenabled. |
Groups[ANYSIZE_ARRAY]
Specifies an array of SID_AND_ATTRIBUTES structures that contain a set of SIDs and corresponding attributes.
The Attributes members of the SID_AND_ATTRIBUTES structures can have the following values.
| Value | Meaning |
|---|---|
|
The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied access control entries (ACEs) that apply to the SID.
A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set. |
|
The SID is enabled by default. |
|
The SID is a mandatory integrity SID. |
|
The SID is enabled for mandatory integrity checks. |
|
The SID is a logon SID that identifies the logon session associated with an access token. |
|
The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID. |
|
The SID identifies a group account for which the user of the token is the owner of the group, or the SID can be assigned as the owner of the token or objects. |
|
The SID identifies a domain-local group. |
|
The SID is a deny-only SID in a
restricted token. When the system performs an access check, it checks for access-denied ACEs that apply to the SID; it ignores access-allowed ACEs for the SID.
If this attribute is set, SE_GROUP_ENABLED is not set, and the SID cannot be reenabled. |
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows XP [desktop apps only] |
| Minimum supported server | Windows Server 2003 [desktop apps only] |
| Header | winnt.h (include Windows.h) |